In the Internet and mobile communications environments, a user authentication method is indispensable. The SAS one-time password authentication method that makes changing a verifier in every authentication phase is proposed. The method uses hash function five times, but it is high overhead for low spec machines. In this paper, we propose a new method, SAS-2, which reduces 40% overhead of hash function adaptation. The method has a mutual authentication phase which keeps synchronous data communications in an authentication procedure. Moreover, SAS-2 can apply to key-free systems.